“The message I want to get across is that if any of us think that Stuxnet-like attacks can only hit centrifugal systems in Iran and not exchanges or clearing houses, then I would say just continue dreaming.” Andreas Preuss, CEO of Eurex at the 39th Annual International Futures Industry Conference, London, June 2014.
When one imagines the main risks present in a central counterparty clearing house (CCP), counterparty risk would likely spring to mind as being one of the most important, probably followed by asset safety and then financial risk. Operational risk is usually the topic which receives the least amount of attention; however, it may indeed be the risk that could cause the largest impact. After all, a ‘fat finger event’ at HanMag securities in Korea lead to the Korean Exchange utilising non-defaulting clearing members’ default fund contributions for the first time in memory, whereas in contrast the default of Lehman Brothers (a large clearing member of numerous CCPs) was dealt with effectively in the sense of having sufficient margin to cover exposures. The main subject of this article, however, is not ‘fat fingers’ but rather cyber-crime, another type of operational risk.
In a paper entitled ‘Cyber-Crime, Securities Markets and Systemic Risk’ by the International Organisation of Securities Commissions (IOSCO) and World Federation of Exchanges (WFE) in July 2013, cyber-crime is defined as:
“…a harmful activity, executed by one group (including both grassroots groups or nationally coordinated groups) through computes, IT systems and/or the internet and targeting the computers, IT infrastructure and internet presence of another entity.”
In the survey conducted by IOSCO and the World Federation of Exchanges (WFE), they reported that over half of the exchanges surveyed reported experiencing cyber-attacks, with the majority being disruptive in nature rather than aiming for financial gain. A worrying statistic that came from the survey was that only 47% of the largest exchanges and CCPs (revenues over USD 500 million) believed that they were prepared to withstand a ‘co-ordinated, large-scale cyber-attack’. The IOSCO survey estimates the costs of cyber-crime to society may be between USD 388 billion to as much as USD 1 trillion! To put this into perspective, the GDP of the world in 2013 was around USD 74 trillion.
On 15 November 2013, CME Group, of which CME Clearing and CME Clearing Europe are subsidiaries, announced that it was a victim of a cyber-intrusion, which led to the release of customer information relating to the CME ClearPort platform. Whilst clearing services were not reported to be affected, this demonstrates that even market-leading companies are vulnerable.
The increase in the number of cyber-attacks on financial institutions has led the Bank of England to highlight cyber-risk as a supervisory priority for all the financial market infrastructures (FMIs) it supervises, including CCPs.
Banks are increasingly spending large amounts of their resources, both cash and human, in order to try and improve their systems and intelligence. In a letter to shareholders, J.P. Morgan announced that it has 1,000 people focused on the threat, and will spend USD 250 million in 2014. Just how much are CCPs spending on operational risk?
Whilst it is difficult to ascertain the amount a CCP spends on operational risk, we can gain an idea of the capital they are required to hold in the event of an operational error, such as a cyber-attack, if we take the European model. According to Article 1 of the Regulatory Technical Standards (RTS) on Capital Requirements for Central Counterparties, which supplements the European Market Infrastructure Regulation (EMIR), CCPs are required to hold capital, including retained earnings and reserves, which at all times should be equal, or more than equal, to the sum of:
- the CCP’s capital requirements for winding down or restructuring;
- the CCP’s capital requirements for operational and legal risks;
- the CCP’s capital requirements for credit, counterparty and market risks calculated and;
- the CCP’s capital requirements for business risk.
These are for risks that are not covered by clearing members’ margin or default fund contributions. In relation to capital requirements for operational and legal risks (b), the minimum coverage for a CCP if using the Basic Indicator Approach is 15% of its gross income. If a cyber-attack was successful would this amount be sufficient to cover the potential losses?
In the CPSS-IOSCO Principles for Financial Market Infrastructures (PFMIs), Principle 15 requires an infrastructure to hold sufficient liquid net assets funded by equity to cover potential general business losses; however, what happens when these risks cannot be quantified or even identified appropriately?
In the case of a successful cyber-attack on a CCP, what affect will this have on the operations of the institution?
A successful cyber-attack could result in: a clearing member’s collateral being stolen if held at the CCP; customer records being altered; CCP systems being blocked or brought down; and confidence in the entity and indeed the financial system being called into question.
A CCP’s main objective is to remove the credit risk from each bilateral transaction; however, in doing this, the CCP then becomes the concentrator of credit risk. That is, the risk that was present in these bilateral arrangements now resides within the CCP. CCPs seek to offset the potential loss from this risk through margining and the collection of default fund contributions. Clearing houses are an essential part of a nation’s financial system, so does this leave them open to a greater number of attacks?
What can be done?
In the ‘Bank of England’s Supervision of Financial Market Infrastructures — Annual Report 2014,’ the Bank emphasised that vulnerability testing against cyber-threats must be conducted and that new security testing standards need to be developed.
In a recent POLITICO Pro Financial Services event in America, Larry Zelvin, the director of National Cybersecurity and Communications Integration Centre, echoed the Bank of England’s thoughts in that, “there is no one standard. Each company is different,” and that, “financial institutions need to have employees dedicated to cybersecurity and not take the approach that the task can be completely outsourced.”
Andrew Gracie, the Executive Director for Resolution at the Bank of England recently addressed delegates at the British Bankers’ Association Cyber Conference in London. He stated that, “Detailed prescription is not going to work, as technology, and the threats related to it, evolve, any attempt to etch standards in stone is likely to become outmoded and ineffective.”
Gracie also spoke about CBEST, which is a form of penetration testing that is designed to identify vulnerabilities and recommend steps in order to address them. It was developed by the Council for Registered Ethical Security Testers, the Bank of England, HM Treasury and the Financial Conduct Authority.
Penetration testing is one solution to the increasingly grave problem; the objective of the test is to identify vulnerabilities that arise from improper configuration and patch management processes. The test, however, lacks the ability to evolve and produces a snapshot (quarterly and yearly) rather than a continuous picture (daily). In the view of authorities, it needs to be supplemented with other tests, such as vulnerability scanning, which can be run continuously.
In addition, cyber-crime needs to be addressed within disaster recovery procedures, with the what-if scenarios clearly identified and plans established. In order to prevent backdoor attacks, CCPs need to ensure that all third party providers, and indeed anyone connecting to the CCP, are appropriately managed from an IT-security point of view; after all, you are only as strong as your weakest link.
Finally, an effective cyber-security framework is only as good as its people. From this perspective, it is imperative to ensure that employees of a CCP are fully aware of the threats and actions that the CCP is taking to manage these vulnerabilities. It is important that the boards of directors of CCPs understand the importance of implementing such a framework, in order to effectively communicate this through the organisation.
As the cost of clearing moves up, it is easy for an infrastructure to cut corners and hope to avoid a so-called Black Swan event, especially as information on cyber-security and FMIs has, until recently, been scarce and whilst the competition for clients remains fierce. If CCPs fail to take into account this intangible risk, however, it may end up leading to real tangible losses!